> However, what OIDC does relating to signing is far worse. In many OIDC deployments, the idea is you use something called “OIDC Discovery” [3] to discover the expected signing keys for the OIDC server. You fetch those regularly (e.g. daily), and do so over TLS. With SAML, you exchange certificates, and then rotate them every 2-3 years (with things blowing up on expiration), but with OIDC, you often end up using OIDC-Discovery, and thus can change keys daily.
I would bet a lot of money that a non-trivial number of people do exactly this in the real-world using SAML (Shibboleth: FileBackedHTTPMetadataProvider or DynamicHTTPMetadataProvider). It's not always manually managed.
We do retrieve SAML federation metadata daily, but the metadata feed is signed using a pinned long-term key of the federation manager, so there's no reliance on WebPKI or even TLS. (Not Shibboleth, but it would be SignatureValidationFilter there.)
I would bet a lot of money that a non-trivial number of people do exactly this in the real-world using SAML (Shibboleth: FileBackedHTTPMetadataProvider or DynamicHTTPMetadataProvider). It's not always manually managed.